Introduction

In most cases accessing the portal via HTTPS protocol is much more secure than via HTTP which is used by default. But to change the portal access method certain actions must be performed.

Before you can start to switch your Community Server to HTTPS protocol, you will need to create a security certificate in .pem format.

Please make sure that the certificate contains private key. You can check the private key presence opening the certificate with any text editor.

Once you have the certificate, proceed with the steps below to find out how to switch your Community Server to HTTPS protocol.

Switching Community Server to HTTPS using the provided script

The faster way to switch Community Server to HTTPS is to use the provided script. Please refer to this article to find out how this can be done.

Switching Community Server version 8.5 and later to HTTPS manually

You can perform all the script actions manually. For that follow the steps below.

Version 8.5 uses IIS 7 which has its own peculiarities. You will need to bind your security certificate to Community Server using the in-built IIS tools.

If you have a security certificate (either self-signed or issued by a third party), you can bind it to Community Server:

Enter the Internet Information Services (IIS) Manager.

Select the site you need to bind certificate to (ONLYOFFICE portal).

Use the Bindings... option of the right-side menu to open the Site Bindings dialog window.

In the opened window click the Add... button.

Change the type for https and select the previously created certificate from the SSL certificate drop down menu.

Click OK and after that close the Site Bindings window.

After that your certificate will be bound to Community Server. If you have more questions about certificates in IIS 7, please refer to the appropriate Microsoft knowledge base articles.

In case you do not have a certificate, it can be created by Internet Information Services (IIS) Manager means:

Enter the Internet Information Services (IIS) Manager.

Go to server name, select it.

Double-click the Service Certificates option of the IIS section.

Use the Create Self-Signed Certificate option of the right-side menu to open the corresponding dialog window.

Enter the desired certificate name and click OK.

Now you have the self-signed certificate with one year validity period.

Now you need to enable the rewrite rules for your server, so that it processed HTTPS requests instead of HTTP ones only. To do that:

Enter the Internet Information Services (IIS) Manager.

Select the site you need enable HTTPS for.

Use the URL Rewrite option of the right-side menu to open the URL Rewrite window.

Find the following rules: HTTP to HTTPS and Add Strict-Transport-Security when HTTPS and select the Enable Rule for each of them at the right-side panel.

The next steps are not obligatory, but if you want to safeguard your Community Server installation, we strongly recommend that you do it. Go to the IIS Crypto webpage. This is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website. Download and run it, select Best Practices and then Apply. After that reboot your server.

Now you can check if everything is done correct the following way:

Open your portal using the https:// prefix. If it opens and works then you did everything alright.

If your Community Server is available via the internet, you can test its security using the SSL Server Test website. Enter your domain name to the Hostname field and click Submit. Wait for the results. Your security rating should be not worse than A.

Switching Community Server version 7.7.1 and later to HTTPS (prior to 8.5)

Create the ssl_cert folder in the c:\Program Files\Ascensio System SIA\ONLYOFFICE\Router\ directory.

Copy the certificate in .pem format into this newly created directory.

Restart the ONLYOFFICE Router service.

Port 443 must be opened for correct portal operation.

Locate and open the Web.config file in the WebStudio folder (you will need administrator access rights to save the changes), and find the following section in it:

<rewrite>
<rules>
...
</rules>
</rewrite>

Replace everything within this section (marked by "..." above) with the following rules:

If you have Document Server connected and you also want to switch it to HTTPS, you will need to change all the links to it in the web.appsettings.config file from HTTP to HTTPS. See the Connecting Document Server to Community Server article for more information on which lines are used to connect Document Server.

Switching older versions of Community Server to HTTPS (prior to 7.7.1)

Switching older Community Server versions to HTTPS require the following steps for correct work:

Put the certificate in the .pem format with private key to some folder on the computer with Community Server installed.

Go to the c:\Program Files\Ascensio System SIA\ONLYOFFICE\Router\ folder and open the config.js file with some text editor. You need to use administrator access rights to be able to save the changes.

Locate the following line:

config.sslCertPath = '../Cert/https-cert.pem';

replace the ../Cert/https-cert.pem with the path where you put the certificate.

Please note that you need to write the absolute path to the certificate file (e.g. C:/Cert/mycertificate.pem) and forward slashes (not backslashes!) must be used in the path, just as shown in the example.

Restart the ONLYOFFICE Router service.

The appropriate ports must be opened and node.js must be added to firewall exceptions or allow rules.

You might also need to change sslCertPath to sslCert in the config.sslCertPath parameter line.

Download
Host on your own server
Available for
Docker, Windows and Linux